Cyber Resilience: Part One Introduction

This blog series is a re-tooling of a white paper I drafted in May 2015 while working at Stroz Friedberg. I want to thank Stroz Friedberg for the support and time to develop these ideas and specifically want to thank Bill Trent and Simon Viney from Stroz Friedbergs London office for their assistance and review. I also recieved valuable feedback from David Porter at Resilient Thinking and Dave Whitley at BAE Systems.

Introduction

The prevalence of digitally-enabled businesses, Internet-dependent customers and Internet-connected supply chains creates near unlimited opportunities and points of entry for cyberattacks, and significantly increases the potential for cybercrime to damage a company’s ability to maintain operations. This has created an environment in which cyberattacks by criminals, hacktivists and state-sponsored actors are more frequent and more damaging than ever.

In the last several months, businesses and individuals alike have experienced dramatic growth in attacks, The 2015 Global Stateof Information Security survey published by PwC highlights a 66% compound annual growth rate in detected incidents since 2009. These attacks range from simple to sophisticated, often campaign-driven, and orchestrated by industrialised global cybercriminals who operate with impunity thanks to limited legal frameworks for response.

The industrialisation of cybercrime is a particularly worrisome phenomenon. Its emergence is evident in the development of a black economy that draws together specialists in malware development, system infiltration, data exfiltration and system exploitation, social engineering, and malicious data centre hosting. This has enabled multi-staged cyberattacks where perpetrators first acquire access control data and other security tools, and then exploit access to data for financial gain or simply for the purpose of causing business disruption, news of which often promotes a perpetrator’s cause.

For example, in 2013 an extensive distributed denial of service attack targeted the Dutch retail banking sector causing multiple outages at a number of online banks including a Globally Systemically Important Bank (G-SIB) highlighting the vulnerability of digitally-enabled consumer services to disruption at a national scale. More recently in 2014, a major data breach at a G-SIB in New York resulted in more than 83 million customer records being exposed, demonstrating that even the largest, most well-funded and prepared financial institutions can be hit by targeted cyber-attacks that cause both significant disruption to operations and harm.

In this environment, we are increasingly seeing a high level of collaboration and intersection between criminal entities and nation state entities, with the only difference between them during an attack being the goal they are pursuing in any particular campaign. Nation state’s growing interest in commercial espionage is also blurring the line between national security and commercial security.

“DTCC expects cyber-attacks to escalate and become more sophisticated in the future. Attackers benefit from their anonymity and lack of attribution as well as their existence outside U.S. and E.U. jurisdictional boundaries, all of which minimize the probability of prosecution.” The Depository Trust & Clearing Corporation (DTCC), Beyond the horizon: A White Paper to the industry on Systemic risk, August 2013

Cyberattacks are therefore now a major challenge for all organisations – and the growing awareness of the inevitability of penetration is driving both rapidly increasing investment in, and much change in thinking about, cybersecurity. This is because, in practice, even with huge effort and investment, it is impossible for businesses to be absolutely confident in their cyber defences. The resources required to defeat a determined nation state attacker or an industrialised cybercrime syndicate who is prepared to use their most valuable ‘equities’ or exploits in an attack are simply beyond any commercial business. As a consequence, there is a growing acceptance that absolute “security” is unattainable and instead organisations need to also think about “resilience” in the face of attacks with so high an impact that they degrade the ability of the business to operate normally. What is required is a systemic approach to managing cyber shocks

“In the finance sector, we have to contemplate the possibility that core functions in firms, the financial market infrastructure that links them together or the supply chains that support them, may be damaged in a cyber-attack, either through the corruption or loss of data or outright loss of systems.” Andrew Gracie, Executive Director of Resolution of Bank of England, January 2015